Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400: > I was just realizing that no one has mentioned it here: For anyone > running HTTPS based Subversion servers, they should really take a good > look at whether their web server is vulnerable to the "HeartBleed" > security problem in OpenSSL.
Repositories served exclusively with http:// (non-SSLed), svn+ssh://, and/or svn://-with-SASL-disabled are not affected. As to svn://-with-SASL, libsasl can optionally link against libssl, but I'm not sure whether it can trigger the vulnerable codepath. svn:// over stunnel would be affected too --- just in case someone is using that. Daniel > There are various good write-ups about > it, but even an internal website vulnerable to these hacks could > apparently have usernames and passwords stolen by a zombied or > rootkitted host inside your network. So strongly consider updating > *all* your websites to avoid the bug, and other bugs, and strongly > consider your password management and expiration procedures for > vulnerabilities that may have been exploited any time in the last two > years. > > http://www.theatlantic.com/technology/archive/2014/04/how-to-check-if-a-site-is-safe-from-heartbleed/360417/
